Converged logical and physical security

ABSTRACT

A security management system that includes a hierarchical security platform, converged IT and physical security management, unified credentialing, credential issuance and incident(s) management. An exemplary aspect of the invention also relates to physical and logical security management and information technology/network security management, with a credential issuance and integrity checking system as well as associated readers and printers of the credential. Still further aspects of the invention relate to obtaining, assembling and analyzing one or more of data, video information, image information, biometric information, sensor information, terrorist information, profile information, and/or other types of information to provide a comprehensive platform for all aspects of security management. A toolkit is also provided that allows complete management, integration, scalability, interoperability and centralized control of all aspects of security including personnel credentialing, personnel management, personnel tracking, task management, security system integration, security information exchange and scalability.

RELATED APPLICATION DATA

This application is a Continuation of U.S. patent application Ser. No.14/802,660, filed Jul. 15, 2015, which is a Continuation of U.S. patentapplication Ser. No. 13/314,335, filed Dec. 8, 2011, which is aContinuation of U.S. patent application Ser. No. 11/740,063, filed Apr.25, 2007, now U.S. Pat. No. 8,108,914, which claims the benefit of andpriority under 35 U.S.C. §119(e) to U.S. Patent Application No.60/794,529, filed Apr. 25, 2006, entitled “Emergency Responder SecuritySystem,” each of which, including the Appendix of the Ser. No.11/740,063 Application, are incorporated herein by reference in theirentirety.

BACKGROUND Field of the Invention

Exemplary aspects of this invention relate to security. More specificaspects of the invention relate to security management, a hierarchicalsecurity platform, converged IT and physical security management,unified credentialing, credential issuance and incident(s)/eventmanagement.

SUMMARY

The exemplary systems discussed herein are in general directed towardsecurity and security management. An exemplary aspect of the inventionrelates to physical security management and informationtechnology/network security management. Additional aspects of theinvention relate to a credential issuance and integrity checking systemsas well as associated readers and printers of the credential certificateand electronic personalization. Still further aspects of the inventionrelate to obtaining, assembling and analyzing one or more of data, videoinformation, image information, biometric information, sensorinformation, alarm information, perimeter information, terroristinformation, profile information, and/or other types of information toprovide a comprehensive platform for all aspects of security management.Still further aspects of the invention relate to providing a scalabletoolkit that allows complete management, integration, interoperabilityand centralized control and monitoring of all aspects of securityincluding personnel credentialing, personnel management, personneltracking, task management, equipment management, personnel tracking,security system integration and security information exchange.

The exemplary IT/network and physical security management system can bearchitected for open standards and its operability designed formodularity and scalability, and can be extendable across a spectrum ofsecurity needs, and adaptable to both legacy and upcoming technologies.The exemplary IT/network and physical security management system canalso be networked with other IT/network and physical security managementsystem(s) to allow for widespread security management, for example,during one or more non-collocated incidents, that may be one or more ofinternational, federal, tribal, state, city or local in nature.

Supporting multi-function contact and contactless smart card/token/smartchip/embedded/implanted chip user validation, the exemplary system workswith existing collocated and distributed facility environments, andoptionally supports various technologies including fingerprintrecognition, facial recognition, iris scanning, biometrics, geographicinformation system information feeds, and the like. Blending, forexample, video surveillance and hazardous environmental sensors, theexemplary system can be adapted to interface with building controlsystems, alarm systems, existing card readers, annunciators, cameras andvideo cameras, enterprise IT security systems, enterprise hardwired orwireless security systems, alarm systems, and general any securitysystem. The exemplary system allows integration into even the mostcomplex mission-critical enterprise IT security infrastructures through,for example, standard protocols, resulting in improved situationalawareness, ability to correlate events and control responses inreal-time, reduced administration overhead an improved audit andforensic capabilities.

The IT/network and physical security management system cooperates withthe Incident Management Parameter Access Control and Tracking (IMPACT)family of solutions which provide access control and identity managementfor deployment by, for example, one or more of Federal, State, local andtribal governments. The IMPACT family of solutions can cooperate withIT/network and physical security management systems to allow control ofphysical and IT access using, for example, a unified credential. Thesystem enables, for example, incident command to have a reliable,real-time emergency management hub that brings together all the assetsand resources into a field environment, including, for example,personnel management and tracking, video surveillance and hazardousenvironment sensors, wireless communications and backend communicationsto Federal, State and/or regional resources. Various card issuance andreading systems are also supported as well as manufacturers ofmulti-technology smart cards, such as contact or contact-less smartcards, smart chips and embedded/implanted chips. The IMPACT family ofsolutions can be configured, for example, based on the type of incidentor environment into which it is deployed. For example, the criticalinfrastructure elements discussed herein can each have a specific IMPACTsolution that includes specific modules, interfaces, templates,workflows and processes or sub-processes pre-configured for deployment.

The exemplary system supports both a multi-function contact andcontactless smart card/token/smart chip/embedded chip/implanted chip,user validation, and also works with a variety of incident scenarios andclimatic environments.

The exemplary system supports both a multi-function contact andcontactless smart chip user validation, and also works with a variety ofincident scenarios and climatic environments.

The exemplary system supports both a multi-function contact andcontactless embedded/implanted chip user validation, and also works witha variety of incident scenarios and climatic environments.

As examples, the systems described herein can be used for HSPDcompliance, such as HSPD 5, HSPD 7 and HSPD 12. There is a number ofcritical infrastructure and key resource (CI/KR) sectors in which thesystems described herein can be used, or defined to address any of theareas covered under these guidelines.

Exemplary non-limiting environments include: chemical, drinking waterand wastewater treatment systems, energy (power facilities, electricalgrid, oil & gas), dams, commercial nuclear reactors, water sectors,process manufacturing, emergency services, public health and healthcare,continuity of government, government facilities, defense facilities,defense industrial base, information technology, telecommunications,converged facilities, national monuments and icons, postal and shipping,banking and finance, commercial facilities, materials and waste,transportation systems, port security, aviation security, cargo, cruiseships, trains, mass transit, Intermodal, food and agriculture, military,first responders, police, fire and OSHA Compliance (Authentication &tracking of machine use). However, in general the systems disclosedherein can be implemented in any environment(s).

As an example, in a national/city based incident, an ID is used toderive access to all City/National Resources, and can include all HSPD7, and more. For example, access can be provided to water, power,facilities, transportation, city buildings and the like. In thisexample, the 4th factor of authentication which is Location Based intime/Global/ZULU/GMT can be supported. Additionally, a GUID and/or aUUID which is a universal or Global unique Identifier can also usecertificates including but not limited to PKI, PKCS #, etc. GUIDs, UUIDsand Certificates can be used in varying ways as any one item can defineidentity. Use can be cumulative, stand alone or a process can select thepreferred method for identity processes. Chip/card/Implant has sectorsthat only allow Authorized Writer/Readers/Users to allow for Multi-useand Multi-Administrators. Built in Fail-safe options include a runningagent that identified debuggers, heap readers, dis-assemblers and otherreverse engineering processes on the fly. Applications can then be shutdown into its stored encrypted state. In case of additional tampering,after a certain threshold of code has been tampered with, ArtificialIntelligence (AI) processes rewrite the code back to the original codebase (last known good configuration) and/or after so much loss can sealin encrypted container so only, for example, an authorized factoryrepresentative can reopen and/or it is destroyed. In addition, thesoftware and hardware case can be configured to scramble drive contentsupon compromise. This is useful in cases where classified data may siton a device.

Optional configurations include BOOT Choice on start-up to include butnot limited to evacuation conditions and/or Bomb scenario and/orIngress/egress of any area, an Artificial Intelligent system, a selfhealing network and systems component, Attendance and HR, the embeddedChip could be in Body and/or hand and have multiple administrators foruse in a single ID, multi-use and multi-administrators, (i.e., where achip/card has sectors that only allow authorized writers/readers/usersto allow multi-use and multi-administrators to access or update specificpartitions/sectors) HSPD 7 and other applications and all criticalinfrastructures, and any and all additions now and in the future,sensors in the ceiling and/or roof area in cooperation with GPS andother backend systems can track live movement of an individual and/orasset thru space and time, perimeter technologies can include but notlimited to, line of sight, satellite, fiber drop wire, radar, microwave,seismic sensor, beams, etc. . . . Perimeter technologies can be appliedin a variety of environments to support very specific perimeter controlrequirements. All data and confidential information can be encrypted atrest and/or in transit—one exemplary way of encrypting the reader to thesecurity system is by using encrypt and/or decrypt chips as an I/O boardattached to the reader and/or the security system.

Cooperation between the exemplary IMPACT family of solutions and theIT/network and physical security management system allows interfacedesigns to be built as modules that can be used as a checklist tocompile to produce any security product to address all CriticalInfrastructures and/or any other security systems, force protection,border control and/or need. These, as discussed, at least include thefollowing modules: sensor modules—including but not limited to chemical,hazardous, environmental, temperature, HVAC, physical SecurityModules—including but not limited to glass break, motion detection,physical access control, magnetic stripe, fire Suppression, etc.Converged physical and IT security access control is built into one ormore of the described systems can include communicationsmodule—including but not limited to, 900 mhz, 2.4 mhz, satellite,microwave, 800 MHz, HAM radio, 802.11, Fiber Optic, VOIP, CDMA, GPRS,etc. They also include the identity management aspects of the inventionand the mapping module including—static, internet based, real-timeimagery, data based and others, the cameras module, the behavioralanalysis modules, the audio and audio analysis modules, the EMS modulesand the alerting and logging modules.

The security system is an application that converges logical andphysical security into a unified process for access control of physicalentities and network or other logical entities.

Exemplary Components that allow this converged design are:

-   1. Client software provides an interface to an Active Directory    structure or an identity management structure (also includes    Federated Identity Management schema), LDAP (Light Directory Access    Protocol), and other schemas for identity information including    InfoCard, the physical access control structure and allows for    configurations of security zones, access permissions, camera    operations, alerting, logging and other processes that support    physical and logical access control.-   2. Remote controller is the domain controller containing the primary    active directory structure and the controlling operating system.-   3. Physical access controllers are devices that provide reader    control for physical access.-   4. Cameras.-   5. Logical control readers that allow for network or system    authentication.-   6. SQL relational database or object-oriented, or object-relational    repository that stores access information, user information,    physical information, zone maps and other information related to    logical and physical access control.    The security system uses active directory, SQL and controller based    data structures to control physical and logical access. The elements    are tied together through processes that integrate active directory,    a relational database backend and physical controller data    structures. Clients that provide for disconnected Access control may    also use ADAM (a clientized version of active directory) that may    synchronize to a master active directory structure.

Access control is based on defining identities or grouping identitiesbased on Roles and then assigning them to security zones, networkedbased or system based objects. An object can be a file or other elementstored in a file system, database etc. . . . An identity is defined bycreating a new identity and setting different configuration options thatrelate to networks, systems and or physical access control to includehours of access, security zones, accessible domains etc. . . . Logicalattributes are stored within the active directory structure whilephysical attributes are stored within the controller data structure andother attributes that bridge both are stored in the relational datastructure. Services tie all three together in a transactional processthat guarantees identity update parameters (adding or provisioning,modifying privileges, and termination or revocation). Identities aretracked through the use of GUIDs, UUIDs and or certificates. Thisstructure allows for the best data integrity and reliability as well asmaintaining separation of duties between physical controllers andlogical controllers.

When the security system is installed the device identifies thecontrolling aspects of the logical networks and takes the role as themaster controller. Identity updates will occur to the device throughactive directory and active directory extensions. The other controllerthen act as authentication controllers for the network. CRITSEC alsoconducts a search and discovers physical control devices, systems andlogical network elements and takes control of those as well. Updatesthat are applied to an identity are transacted through a service thatacts as a broker between active directory, the physical controller andthe relational database.

The relational structure is implemented in a way that provides for datamapping as opposed to hard defined data structures. This allows user ofthe CRITSEC system to use a variety of data backends to use CRITSEC withto include MS SQL, Oracle, MySQL and other.

Supervisory Control And Data Acquisition (SCADA) is a remote controlprocess that controls infrastructure such as water or power etc. . . .There's a client that communicates with a control device that controlssome aspect of a process. The exemplary compontentry associated with theSCADA embodiment includes: Client software that provides an interface toa variety of controllers. SCADA software secures SCADA operationalprocesses through an enhanced SCADA interface. Controllers and remoteterminal units are, for example, devices that monitor and open or shutvalves or perform some other function that is required to maintaincertain process attributes. A controlled device is, for example, a valveor other device that has impact over a controlled process. The securitysystem integrates logical and physical access control to SCADA networks.SCADA has been over the years inherently weak when it comes to accesscontrols and security. SCADA security addresses this by integrating theSCADA network with the security system for controlling physical andlogical access to SCADA networks. SCADA security also provides for amore secure interface while allowing SCADA operators to continuallymonitor processes through a locked for input but functional, visibleopen to monitoring screen. Physical and logical access controls aresimilar to the other applications and processes described herein. Theclient software secures the SCADA management process by creating atransparent screen that SCADA operators can use to monitor SCADAprocesses. Though users can see processes in real-time, they can'tinteract with the process until authentication takes place through thesecurity management system. Once authentication takes place then thetransparent screen moves to a background process while the SCADA clientapplication takes the foreground process and allows for operatorinteraction. Alerting takes place through a colored border that flashesat the edge of the border of the screen, still allowing the operator tomonitor real-time actions through the transparent screen.

These and other features and advantages of this invention are describedin, or are apparent from, the following detailed description of theexemplary embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

The exemplary embodiments of the invention will be described in detail,with reference to the following figures wherein:

FIG. 1 is an overview of the exemplary security system according to thisinvention.

FIG. 2 illustrates exemplary components that can be associated with acredential according to this invention.

FIG. 3 illustrates an exemplary credential issuance system according tothis invention.

FIG. 4 illustrates in greater detail the components of the IT/Networkand Physical Security Management system according to this invention.

FIG. 5 illustrates in greater detail the IMPACT system according to thisinvention.

FIGS. 6-37 illustrate exemplary graphical user interfaces associatedwith this invention.

FIG. 38 illustrates an exemplary relational database structure accordingto this invention.

FIG. 39 illustrates exemplary data flow processes according to thisinvention.

FIG. 40 illustrates an exemplary credential shield according to thisinvention.

DETAILED DESCRIPTION

The exemplary embodiments of this invention will be described inrelation to security management. However, it should be appreciated, thatin general, the systems and methods of this invention will work equallywell for any type of communication system in any environment.

The exemplary systems and methods of this invention will also bedescribed in relation to security management and the components,sensors, hardware, software and data feeds associated therewith.However, to avoid unnecessarily obscuring the present invention, thefollowing description omits well-known structures and devices that maybe shown in block diagram form or otherwise summarized.

For purposes of explanation, numerous details are set forth in order toprovide a thorough understanding of the present invention. It should beappreciated however that the present invention may be practiced in avariety of ways beyond the specific details set forth herein.

Furthermore, while the exemplary embodiments illustrated herein show thevarious components of the system collocated, it is to be appreciatedthat the various components of the system can be located at distantportions of a distributed network, such as a telecommunications networkand/or the Internet, or within a dedicated secure, unsecured and/orencrypted system. Thus, it should be appreciated that the components ofthe system can be combined into one or more devices, or collocated on aparticular node of a distributed network, such as a telecommunicationsnetwork. As will be appreciated from the following description, and forreasons of computational efficiency, the components of the system can bearranged at any location within a distributed network without affectingthe operation of the system. For example, the various components andfunctions associated therewith can be divided between one or more of thedescribed systems, can be load balanced between one or more securitysystems and can be networked between on or more security systems,devices, or some combination thereof. Similarly, one or more functionalportions of the system could be distributed between a plurality ofgeographically separate systems.

Furthermore, it should be appreciated that the various links, includingany communications channels connecting the elements can be wired orwireless links, (including satellite based link(s) or any combinationthereof, or any other known or later developed element(s) that iscapable of supplying and/or communicating data to and from the connectedelements. The term module as used herein can refer to any known or laterdeveloped hardware, software, firmware, or combination thereof that iscapable of performing the functionality associated with that element.The terms determine, calculate and compute, and variations thereof, asused herein are used interchangeably and include any type ofmethodology, process, mathematical operation or technique. It shouldalso be appreciated that various levels of redundancy and portabilitycan be included with the system, as well as a shock mount case foremergency drops to remote locations, such as battery back-up,multi-national power supplies, recharging capabilities, and a pluralityof communication options.

FIG. 1 illustrates an exemplary security system 1. The security systemincludes an IT/Network and Physical Security management System 100, anIncident Management Perimeter Access Control and Tracking module 200 anda credential issuance system 300. The IT/Network and Physical Securitymanagement System 100 can be connected, via one or more of network 10and links 5, to one or more additional IT/Network and Physical SecurityManagement Systems as well as an identity proofing module 11, one ormore sensors 12, a unified credential 13, one or more access controlreaders 14 (which can govern physical as well as network/computeraccess), one or more cameras and/or video cameras or feeds 15, existingenterprise IT security system(s) 16, existing enterprise securitysystems 17, such as building access systems and alarm systems 18 andassociated annunciators 19 and devices.

FIG. 2 illustrates an exemplary credential 200, and some of the types ofinformation and information carrying devices associated therewith. Forexample, the credential can include one or more of a contact-based chip,embedded chip(s), implanted chip(s), bar code(s), printed data,picture(s), a proximity chip, a magnetic stripe and a contactless chip.Each of the information carrying devices have certain associatedadvantages and disadvantages and can be chosen, for example, based onthe expected operating environment, environmental conditions, data to bestored thereon, security requirements and the like. The credential canbe any one or more of a smart card, smart chip and embedded chip. Thesecurity system can automatically recognize the card type, issuingagency, format, etc., as well as what authorized information can beread. This allows for multi-administrators, multi-use, multi-readers andmulti-sections (with each section have different access permissions),i.e., an e-passport.

While certain embodiments are described in relation to the exemplarycredential, other options are also available. For example, although auniform visual card design is desirable, experience indicates that whilethe flash-pass capabilities are important, more crucial is theuniformity of the information programmed into the smart card/smartchip/embedded /implanted chip. The credential issuance system canabstract the desired data into containers or sectors of the credentialthat are programmed into the smart card chip, some with varying degreesof protection for very sensitive data like biometric templates. Thesecredentials/certificates are thus immediately usable at the incidentsite(s), not within some delayed time period, such as 24 hours.Revocation can also be immediate. Interoperability with otherstandards-based cards can be a key architecture principle.

While a standard template can be defined, other templates may be added.For example, while one jurisdiction may choose to store encryptedfingerprint, iris scan, hand geometry or facial recognition, includingany biometric, in an encrypted card container, another jurisdiction mayutilize the same space on the card for emergency medical treatmentinformation. The ability of the credential issuance system to discernthe differences between the two card types described is a unique featurethat can be enabled as required. Thus, different entities can havedifferent permissions to access different portions of one or morecontainers or sectors of the same card. Highlights of an exemplarycredential include:

Data Capture and Issuance Optional Version for Contact Chip Works withthe Credential Issuance System for Printing/Lamination - Enables ‘OneButton’ Print/Program Works with IMPACT and the IT/Network and PhysicalSecurity Management System for Contactless 13.56 MHz Chip and otherembedded/implanted chips Authorization & Tracking Unique Identifier byIndividual Global Unique Identifier (GUID) or Optional Cardholder UniqueIdentifier (CHUID) Digital Certificate Follows PKCS11 Standard - and allfuture standards, technologies or certificates as them become availableLifecycle Operations Secure Identity Management System (IdMS) SecureContainers for Data on Chip Works with IMPACT and the IT/Network andPhysical Security Management System Reprogram or Update Data in Field orCentrally Real-time Validation of Digital Certificate Verificationthrough, for example, a third-party Rapid Provisioning and Terminationof Privileges - NOT 24 hours Maintain High ‘Level of Trust’ Manage Dataon Card, in IdMS or both • Portable and Fixed Base • Modular • SecurePre-Issue Multi-function Credential or Onsite Verify Identity VerifyAuthorizations Ensure ‘Level of Trust’ Create Photo ID or Smart CardBadge for this Incident Update Smart Card Chip if 2nd Incident VisualGrouping by Skill or Responsibility Utilize for Physical and LogicalAccess Stored X.509 or PKCS11 Certificates - and all future certificatesas they become available Match-on-Card Biometrics Smart Card/SmartChip/Embedded Chip and use of SQL and the and active directory RegistrarFunctionality Sponsors Submit Applicant's Background Check InfoRegistrar Collects Identity Information In-Person Fingerprints and I-9Documents System Tracks Status of Application Notification When NACIComplete ID Management System Active Directory Link Revalidation Dates,Moves, Adds, Changes, Terminations Distribution of Applications PINResets Robust Member Search and Auditing Capability SQL or SQL LinkFile/Data transfers

Write IMPACT is an application that allows for the reading and writingof contact and contactless smart cards.

Exemplary Components:

-   1. Client software that allows for writing and reading data,    acquiring biometric data and specifying certifications.-   2. Data backend for storing data in either a connected or    disconnected state.-   3. Interfacing for smartcards.    Write Impact has the capability to write and read    contact/contactless smartcards that meet a variety of standards to    include HSPD-12, Mifare, Desfire, Smart MX and others.

Due to card storage size and end user requirements, a matrixing solutionhas been developed that allows users to add a large amount of data intolimited space on the smartcard chip. The matrix allows for defining amapping solution from the application to the card's database andvice-versa. This allows agencies to define their own data and enter itinto the chip of a card while not using the space required to enter thatdata. An example would be: Denver Sheriff Department wants to trackcertain certifications that they have developed. The exemplarycertification is broken down to a 3 or 4 (or in general any) digitnumber or lettering scheme that designates that the certification islocal, that the certification is related to law enforcement, that thecertification is for SWAT and that the final certification is for level.There is also a 1 digit number that specifies if the user is current,not current, in retraining, or that currency doesn't apply. This schemaallows for the storage of much more data on a chip that can be directlyreferenced through the back end. Other agencies may then map their datain their own way and agency data may be correlated together through amapping structure so outside agencies have visibility of certifications.

For protecting the credential, as illustrated in FIG. 40, a shieldingcredential holder device leverages a magnet to hold a clear cover to ashielding back, and can be flipped out with one hand when one needs toenable the contactless signal when presented to a reader to, forexample, open a door. Credential holders that shield contactlessemanation from unwanted and/or unauthorized reading are currentstate-of-the-art, however convenient usage by an individual whenentering a secured facility is somewhat lacking. The illustrated unitsare designed to feature a clear pocket for the credential thatmagnetically adheres to a shielding backing. Thus, a user is able toconfidently display the front of the credential on a lanyard or clippedto clothing knowing that it cannot be read contactlessly in this mode,yet easily separate the clear pocket from the backing with one hand toexpose the contactless signal when required, and allow reading thereof.

FIG. 3 illustrates an exemplary credential issuance system 300. Thecredential issuance system 300 comprises a signature capturer 305, a PINkeypad capturer 310, a fingerprint capturer 320, a camera 330, a modulefor registrar functionality 340, an ID management module 350, a reportprinter 360, a card printer 370, a card reader/writer 380, and adocument scanner 390, all interconnected via one or more links andnetworks. One or more pieces of data can be secured via the appropriatecapturer and associated with a credential. The data can be associated,in cooperation with the card reader/writer 380, by storing informationon the card or printing information on the card. This information, or aportion thereof, can also be encrypted as needed.

The credential issuance system 300 also can cooperate with a module forregistrar functionality. Registrar functionality can include abackground check, fingerprinting and I-9 documentation, system trackingof the application process and notification of when the NACI iscomplete. The ID Management module can include an active directory link,revalidation functions, date and tracking, moves, adds, changes,terminations, and the like, for an issued credential. The ID managementmodule 350 can also handle the distribution of applications, PIN Resets,robust member searching functionality and auditing.

FIG. 4 illustrates the IT/Network and Physical Security ManagementSystem 100 in greater detail. In particular, the IT/Network and PhysicalSecurity management System 100 comprises one or more of a data store105, logging module 110, authentication processes/access control module115, data filtering module 120, data marts/warehouses 125, ArtificialIntelligence modules 130, video module 135, document module 140, mappingmodule 145, training/prediction reporting module 150, sensor module 155,audio module 160, VOIP module 165, communications management module 170,user module 175, admin module 180, environment specific module 185,information feed module 190, scalability and interconnection module 195and security module 199, all intercommoned via the appropriate link(s)and/or network(s) as required (not shown).

FIG. 5 illustrates in greater detail an exemplary member of the IMPACTfamily of solutions 200. In particular, the IMPACT system comprises oneor more of an equipment tracking module 205, a personnel tracking module210, a perimeter management module 215, a credential management module220, a task module 225, an alert module 230, a reporting module 235 anda sensor module 240, all intercommoned via the appropriate link(s)and/or network(s) as required (not shown).

In operation, an administrator initializes the system by adding thepersonnel, equipment, credentials, or in general any tangible orintangible, that are to be managed. The addition of the managedinformation can be streamlined through the use of one or more templatesdesigned for specific incidents and/or environments. For example, whenbooting the security system, the system can query the user as to thetype of deployment, incident or environment. Based on the user'sselection, specific GUI's, templates and prompts for connections tovarious types of data feeds can be generated. Once all relevantinformation pertaining to the managed information is established,various pre-defined rule sets can be invoked or one or more custom rulescreated that allow actions to be triggered based on satisfaction of oneor more rules. For example, if the incident is a fire and the securitysystem is connected to the existing building fire system, a pre-defined“building fire” rule set could be selected that allows the securitysystem to monitor heat sensors, movement of emergency responders in thebuilding, fire sensors, video feeds, etc.

In addition, the security system can monitor the presence of emergencyresponders into and out of the incident scene. This not only allows tothe system to account for the presence and location of personnel, butalso more routine tasks such as billing management. In the event of aninjured emergency responder, the system could also automatically forwardmedical information based on the emergency responder's credential to ahospital to assist with treatment.

The IMPACT family of solutions can also be preconfigured withconnectivity escalation routines that allow the security system tocontact one or more additional security system based on, for example,the meeting of one or metrics monitored by the system. For example, ifexplosives or an explosion is detected, the security system and forwardinformation related thereto to the federal authorities. Additionally,the security system may connect to other security systems to assist inthe analysis of trend data in the event of, for example, widespreadterrorist activity.

In another exemplary embodiment, the system is not actually deployed toan incident, but is used as a full-time security monitor for one or moreof a facility/network/computer system. The system can also interfacewith existing structures, such as a school, utilizing the appropriatemodules, allowing control over and monitoring of, for example, a schoolssecurity system. For example, the security system can be connected wiredor wirelessly by an emergency response team to the school and controlall aspects of security including cameras, locks, access, etc.

FIGS. 6-37 illustrate exemplary GUI's associated with the securitysystem. With all the exemplary GUI's different skins can be selectedthat are suitable for different lighting environments, thus allowing theapplication to be easily seen inside or outside, while it is bright ordark, in red, blue, green, yellow, white light, etc. In particular, FIG.6 illustrates an exemplary access control GUI where a user would go toadd other users, permit what they can do have access to (i.e., logicaland/or physical), and the hours and zones they have access to theseresources. Other things can be controlled here such as the person'scertifications and username and password. The Connected Tab (locatedabove the Full Name) shows a list of all the different users that arecurrently connected to the system.

The Reader button (located bellow the Time Zone) will group the cardreaders into logical groups that will be considered one of many zones.The Users button gives you a list of all the users that have been addedinto the Access Control for quick navigation to a specific user.

FIG. 7 illustrates an exemplary main navigation menu. The mainnavigation menu allows a user to move through the application. It can bemoved as well as set to auto hide in case you need more screen space forthe content area. The main area in the content area. All the toolsselected from the main menu can be illustrated in this main portion.Tabs or buttons are also provided in this interface to access otherfeatures of the system. In this example, the tabs are “org chart,”“packages,” etc. The lower portion of the GUI is the log. The logillustrates all the events that have happened such as a connection tothe server. Like the main menu, this can be moved, resized, or set toauto hide, and each event in the log can be selected for additionalinformation.

FIG. 8 illustrates an exemplary custom time view GUI where a user cancreate custom times that a user is allowed into either physical or thenetwork. Times can be set from any day of the week and can be controlleddown to the hour.

FIG. 9 illustrates an exemplary incident GUI. The Incident screen givesa quick overview of the scene that includes who opened it, the date itwas opened and closed, and location. Additionally, historical data canbe shown so lessons learned from one event can assist in the decisionmaking process.

FIG. 10 illustrates an exemplary Org Chart (Organization Chart) that canbe used to see a graphical representation of the incident commandstructure under, for example, a HSPD. By simply dragging and dropping, asingle person or an entire group can be placed under a differentcommander. A user can add or remove any of the nodes for situations thatrequire different specialists. A user can also fill the role of thepositions with people that have been added to the Access Control area.

Expand and Collapse button controls all the boxes and expands all ofthem, or collapses all of them.

FIG. 11 illustrates in greater detail some of the Org Chart information.

FIG. 12 illustrates an exemplary SITREPS (Situation Reports) GUI. Thesituation reports can be updated every time something is changed in, forexample, an emergency scene, event or exercise.

FIGS. 13 and 14 illustrate lists all of the different agencies that areat the scene. Within each agency is a list of all the employees. Eachemployee has information about them such as status (deployed, staging,etc.), blood type, and cost rate. Then each employee will have a list ofcertifications that they carry. Information held here pertains to whendid the individual receive the certification, when does it expire, whenis he expected to have it renewed, and if the person has insurance.

FIG. 15 illustrates the different packages and their status, includingwhen they arrived at the emergency scene.

FIG. 16 illustrates an exemplary tasking screen, a user can assignvarious tasks that can include a description, when it was assigned, whenit needs to be completed by, who it is assigned to, priority, and it'ssensitivity. Tasks can be assigned to an individual or to agroup/agency.

FIG. 17 illustrates an auto populated log that provides a brief overviewof everything that has occurred within this incident including when anew Incident Commander comes in, when new SITREPS are created, and whenpackages arrive.

FIG. 18 illustrates the History Tab showing a brief overview of all theincidents for quick reference. When a user selects one of the incidents,that incidents information is seen through the rest of the EMS tabs.This is used for not only review, but if an incident is happening thatis similar to a past scene, it can provide for a quick way of seeingsome of the possibilities that could happen.

FIG. 19 illustrates an exemplary video GUI. The video GUI at leastsupports IP, USB, and CCTV and wireless cameras with support for audio.The video GUI can auto adjust if more than four cameras are added andthe ability to manually resize each box. Snapshots and recording can beautomated through rules, so if someone tries to swipe a card that isinvalid, you can automatically take a snapshot capturing the personsface. Motion detection can be used for the entire camera view or you canset up grids so that it will only record if there is motion within thatarea. Frame rate can also be controlled from here.

FIG. 20 illustrates an exemplary sensor GUI. The sensor GUI displaysdata from a sensor that can be captured and displayed as a 2D/3D graphor mapped into a GIS. A user is also able to turn on and off the variousbars as well as the markers. A user can also change a bars color, width,as well as the amount of time that they are viewing in the recordeddata.

FIGS. 21 and 22 illustrate the ability to open a wide variety of variousdocuments, including the ability to utilize a built in spell checker andthesaurus. Also supported is a built in capability to open variousspreadsheets. This is where a user can come to open template-type formsthat can be blank or pre-populated with data from the incident.

FIGS. 23-25 illustrate various scheduling interfaces. Here a user cansee a daily over view of different tasks that have been scheduled. Auser can delete/add new columns by clicking Delete/Add buttons on theright. A user can add a new task into a timeslot by double clicking thetime that you want it to start. When a user adds an event to the timeslot, it can be titled, given a location, mark what type of an event itis, show its status at that time (i.e. busy), and set a duration. A usercan also set up a reassurance so this event is automatically theredaily, weekly, biweekly, monthly, annually.

FIGS. 26-27 illustrate alternative scheduling GUI's. By changing theview to a weekly view, a monthly view, or an annual view, a user caneasily see all of the appointments or scheduled events and historicaldata.

FIGS. 28-31 illustrate exemplary mapping GUIs. A user can use bothstatic mapping or Internet mapping and can tilt, rotate, and zoom inthrough the tools on the right. A user can also bring in various layers,even to the Internet mapping that can provide different information.Terrorist alerts/maps, disasters maps and GIS data, as well as existingterra maps and GIS systems can also be obtained by the system.

FIG. 32 illustrates a built in VOIP GUI and chat support that allows forcommunications as long as there is power. A user can also record VOIPconversations in this GUI.

FIG. 33 illustrates an exemplary metrics GUI. Here a user can total autilization cost, as an agency, and even by there status. This can bedone, for example, for Agencies and Resources. This allows, for example,states/counties to call for federal assistance as soon as it isavailable or limits are reached.

FIGS. 34-37 illustrate various exemplary admin GUIs. Within the AdminConsole, a user can check out the server's health status, have itautomatically send alerts to E-Mail, a phone, a computer, or just writea log. Within the console, a user can set up automatic discovery and/orfailover with other security systems, or the systems can be manuallydiscovered. The software can also be configured to automatically checkfor updates from this console.

FIG. 38 illustrates a high-level architecture of a relational databasethat can be used in conjunction with the embodiments described herein.The attached Appendix provides more detailed specifics regarding thearchitecture and the relationships therebetween, with the numbers in theconnecting lines corresponding to the relationships detailed in theAppendix. In general however, any relational database, object-orientedor object-relational database structure will work well with the systemsand methods of this invention provided a mapping between associatedelements can be determined. This exemplary architecture represents therelationships between, for example, video, graph, audio, VOIP,documents, equipment, personnel, tasks, etc. . . .

FIG. 39 illustrates an exemplary data flow and process tree according toan embodiment of this invention. The exemplary processes depicted withinthe figure illustrate connectivity and process flow. These flow diagramscan be consistent throughout all various modules. For example, both theIMPACT family of solutions and the IT/Network and Physical SecurityManagement System can include the same processes for cameras, video,access control, etc., as well as a Supervisory Control And DataAcquisition (SCADA) type system using the functionality describedherein, with all of the systems capable of including the same processesas other modules and process applied to data operations, etc. The scopeof all modules can be configured into a self-healing networked structurewhere if a piece, segment or network were to fail, a self-healingprocess could instantiate itself and rebuild critical parts of anyportion of the system(s) and/or network. The systems/networks can alsosupport a failsafe mechanism that allows for the destruction of a deviceif, for example, tampering is detected.

The exemplary processes that can b performed by one or more of themodules discussed herein (or by one or more modules connected to thesecurity management system) are: New Record, Replication Process, VideoProcesses, EMS Processes, Mapping Processes, AuthenticationProcesses/Access Control, Document Processes, Logging Processes, SensorProcesses, Support Processes, Audio Processes, VOIP Processes, AIProcesses, Data Scrubbing, Data Scrubbing, Trending/Prediction ReportingProcess and Communications Processes.

The New Record process allows the creation of a new record. This newrecord can relate to personnel, equipment, monitors, sensors,credentials, or in general any aspect of security management includingboth tangible objects/personnel and intangibles.

The Replication Process allows both upstream and downstream replicationof information. This replication can include filtering to allow for ahierarchy of data flow with, for example, permissions established suchthat data stores with lesser permissions have access only to certainportions of data.

The Video Processes, as with the other types of “data” feeds, such asaudio, VOIP, etc., are logged in a logging module and preserved in alocal data store as well as monitored by the AuthenticationProcesses/Access Control Process. Video can be also be streamed fromdifferent devices using different transmission protocols to include IPbased, BNC, Web and others.

The EMS Processes is one of several exemplary processes that reflect thevarious operating environment(s) into which the systems and methodsdescribed herein may be placed. It should be appreciated however thatthese specific operating environment type processes can be combined withother operating environment type processes as needed and may bedynamically added at any time. For example, during boot of theIT/Network and Physical Security Management System, the environment canbe configured through selection of the specific event type(s). EMSprocesses cover all aspects of an incident to at least includepersonnel, equipment, org charts, situation reports, lessons learned,scheduling, mapping, and other related items specific to an event.

The Mapping Processes allows the integration and display of map(s) intothe Network and Physical Security Management System. The MappingProcesses at least includes one or more of GIS, real-time mapping,static mapping, overlaying mapping with various sets of data eitherretrieved, input or correlated through AI Processes onto maps that canbe made available to a user(s).

The Authentication Processes/Access Control Authentication includeslogical and physical authentication through, for example, various chipprocesses to include contact and contactless chips as well as biometricsthat may be attached, imbedded embedded and/or implanted anywhere in thebody including the hand and head. Authentication mechanisms also providefor the tracking of incrementing and decrementing values as well asstorage of finite values within the authentication medium if anon-biogenic authentication template, e.g., smartcard, is used.Identities can be tracked and authenticated through, for example, GUID,UUID, certificate based processes, or in general any mechanism, locally,regionally, nationally and internationally. The authentication mediumwill also allow for in some cases multi-user/multi-administrationcapabilities. Authentication at both physical and logical layers caninclude encryption using standard approved methodologies as well asfuture encryption strategies utilizing, for example, nano-technologiesor quantum technologies not only from the controller to the controllingdevice (door reader for example), but also from the controlling deviceto the controller and/or other operating system that may act as anintermediary or controller itself. The Authentication Processes allowfor multi-factored authentication mechanisms to include, for example,what someone knows, what someone has, who someone is, where a person is,through space and time, through behavioral analysis as well as othermechanisms. This will allow for authentication of identities, groups,processes, etc., as well as physical devices and information sources.

The Document Processes allows for the creation, viewing and modificationof secured documents through a data labeling process, as well as themanagement and classification of documents. For example, an AI processclassifies documents on the fly based on, for example, certain keywords,origin information, creator information, content, or phrasings as wellas by the classification authority or creator. Documents identified assecure can be stored in an encrypted format within the database.

The Logging Processes support event correlation through a triage AIprocess for each entry added to the log. Logsets can be multi-recordstructures where event correlation takes place against a set of logentries that may or may not be similar in nature. Logs can be archived,for example, at the event level and can be fine tuned to, for example,periods of time.

The Sensor Processes not only include sensors for environmentalcharacteristics but also include tracking through thermal, biologic,pressure and other methods provided through a sensor interface.

The Support Processes include failover support, self-discovery and othersystem configurations. Support processes also include all processes thatprovide for systems administration, configuration, healing, alerting,balancing or other processes supporting any of the described processesor modules.

The Audio Processes allow for the modeling of various audiocharacteristics. This can include sound that is audible to the humanrange or outside the scope of human range.

The VOIP Processes allow VOIP communications over one or more networksto one or more other IMPACT and/or IT/Network and Physical SecurityManagement System(s). VOIP and Conferencing services allow for internalconferencing capabilities. The only requirement is connectivity throughany available means. Conferences can be recorded stored and verified inthe future.

The AI Processes include rule set, fact set, fuzzy and neural processesto predict and trend. Intelligent processes include inferencingtechnology, neural processes as well as other multi-generationintelligence processes. In terms of intelligent processing there arethree layers.

-   -   1. Triage (Real-time)—this is accomplished as raw data is        entered through a process. This basic yes/no type rule set logic        and can be applied to an individual record very quickly.    -   2. Near real-time—This can be accomplished across multiple        records as data sits in an active local data store. The        correlation of this data can be more complex than simple rule        sets and can include complex nested rule sets as well as facts        applied.    -   3. Historical—This takes place against a data mart/warehouse        and/or a regional, national and/or international level data        source. These AI Processes can include not only rule set and        facts, but fuzzy logic through inferencing and in some cases        neural networking, as appropriate.

AI Processes allow for human and non-human intervention, alerting andother modifications to configurations, data or other items designated asmodifiable on-the-fly. Expert Systems can attempt to emulate thedecision making abilities of a human expert using knowledge (facts) andinference procedures (rules). In some cases other intelligent processesmay be used such as neural networking, data clumping, associativediscovery etc. . . . AI processes are designed to find events, trendsand predict where the data to support that data doesn't appear to exist.

The Data Scrubbing process allows for sanitizing of data by any means,such as rule based sanitizing.

The Trending/Prediction Reporting Process can cooperate with the AIProcesses to generate trending and/or prediction reporting and alertsbased on one or more of incident information, information feeds,activity, data trends or in general any information received by theIT/Network and Physical Security Management System.

The Communications Processes include any method for communications toinclude satellite, cellular, wireless, networked, encrypted, hardened,packet or circuit-switched, or any other communications process orprotocol.

The Data Stores house data that can be shared with one or more otherdata stores. The data stores can store any information relevant to theIMPACT and the IT/Network and Physical Security Management Systems, aswell as credential issuance system, and in general any informationassociated with the systems described herein.

In addition to the above higher-level processes, sub-process operatewithin the security system. A description of the exemplary sub-processesare discussed below.

The Record Management process allows entities identified with“administrator” privileges to administer records. These records includeidentity records and administrators can at least add, delete or modifyidentities as well as levels of permission, access control, etc., and ingeneral any feature associated with a record including the creation,modification or deletion of a record.

The Identity Configurations process includes all aspects of an identityaccount. These includes basic personal information such as name, DOB,position, access control parameters—to include access points and hours,biometric data etc. . . . An identity is directly correlated to acertificate and a GUID/UUID or other unique identifier. These items areused to correlate identities to other sets of information throughlookups.

The Permissions Process provides and regulates permissions toinformation and/or objects.

The Access Control process provide for both logical and physical accesscontrol solutions to one or more physical areas and/or computer,computer network or IT-based systems.

The Authentication Process determines whether or not an entity has theauthority to access and manage records.

The Record Management Process includes the ability to add records,delete records, modify records as well as provides record navigation andsearching functionality.

The Active Directory Process provides standard active directorystructures and extended active directory structures. For example, in anemergency response scenario, the security system 1 is a self-containednetwork whereas in other incident management solutions active directorycan be integrated into an existing network structure. In cases where anincident management solution must control access logically, the securitysystem can act as the master controller and only make updates to theactive directory databases while, for example, dedicated, incidentspecific incident management controllers will act as authenticatingmechanisms thereby reducing the overall load on the IMPACT system.

The Physical Access Control Process controls, for example, disconnectedhand-held or other types of credential reading devices that can beupdated, for example, on-the-fly through wireless, wired or by removablemedia. The devices can first authenticate to one another prior to dataupdating. In other IMPACT scenario solutions, physical readercontrollers can be embedded into the IMPACT solution and controlphysical access by a direct or wireless connection to the terminalreader.

The Motion Detection Process allows for the configuration of thesensitivity of the detection grid in one or more connected video camerasor feeds as well as other options related to motion detection. Themotion detection processes can be defined to slew a camera to a certainposition if motion enabled cameras are used.

The Snapshot Process allows snapshotting by extracting a single framefrom a video stream. Snapshotted graphics can be stored in an encryptedformat and checksummed for evidentiary use.

The Streaming Process allows video to be streamed to a user interfacewithin the security system and can be saved in, for example, acompressed and encrypted format to the data store. Video can also bechecksummed for evidentiary use.

The Video Interface Process allows a user to manipulate and view videodata. This interface allows also acts as the record management interfacethat allows user to add, delete, modify and navigate video records, forexample, with the use of meta-data, keywords, etc.

The Docs Mods Process allows video data stills and in some casesstreamed video data to be included into documents that are stored withinthe data store.

The Camera Control Processes allow camera controlling through motiondetection as well as user remote control of any of the camerasassociated with the security system.

The Logging Process can support event correlation through the triage ofartificial intelligence processes for each entry added to the log. Logsets can be multi-record structures where event correlation takes placeagainst a set of log entries that may or may not be similar in nature.Logs can be archived off at the event level and/or system level and befine tuned to periods of time.

The Event Data Process allows management of event data, comprising basicinformation pertaining to an event, to include, for example, incidentcommander, location, perimeters, zones and event descriptions.

The Situation Reporting Process allows situations taking place during anevent to be identified, flagged and tracked.

The Org Charting Process provides the ability to create and manage anorganizational chart of the incident staffing. Personnel can be selectedto fill slots within the organizational structure. Also when anindividual is selected to fill a role, the role can be cross-referencedwith certifications data that is tied to personnel. If, for example, theindividual is not certified to fill a role, then, for example, based onan active rule set, the incident commander can be informed. An incidentcommander can also be authorized to override the flag. There can be morethan one organizational chart per event.

The Personnel/Equipment/Certs Process allows one or more of personnel,equipment and personnel certifications to be tracked through an event toinclude, for example, cost rates, use, renewal information and otheritems.

The Package definition Process allows packages to be defined by standarddefinitions, non-standard definitions as well as task force definitions.Packages can be requested, offered for deployment and in specialcircumstances be defined on-the-fly during and at an incident. Packagesare normally defined and then pushed to, for example, a regional andnational data store for deployment. Packages can also be requested byvarious agencies to take part in an event.

The Historics Process allows for the management and creation of “lessonslearned documents” as well as documents generated through an artificialintelligence process that correlates useful information for specificrequirements during an incident. This gives event managers access todata and data mining capabilities that may uncover information relevantto the incident(s) such as trending information. Documents can becorrelated from local, regional, national and/or international sources.

The Graphic Layering process allows graphic overlay(s) to be added to ortaken off of a mapping structure. Layers can represent different sets ofinterpolated data.

The Internet Based Mapping Wrapper Process allows for including accessto internet based maps. This provides, for example, an instant mappinginterface that doesn't require any static map files to be carried withthe security system. Layers can be added to internet based mapping torepresent different sets of data.

The Data Interpolation Process allows taking data from differentsources, turning that data into coordinate data and then placing it intoa graphic layer to be presented through a mapping interface. Data canrepresent sensor locations, boundary locations, personnel locations,equipment locations, or in general data the security system has accessto.

The GIS Processing Process allows real-time GPS related navigation, aswell as other GIS related mapping processes. For Example, responders canuse GPS enabled tracking devices that can be represented in a mappingstructure. This is useful for deploying, tracking and recallingresponders that may be in hot, warm, cold or all zones, etc.

The Graphical Interface Process allows one or more graphic interfaces tobe used to manage records as well as provide for option selections and aviewing interface for the mapping modifications.

The Doc Generation Process allows user to create spreadsheets, wordprocessing documents, flowchart documents, graphic documents as well asother document types. These documents can be labeled with a securityclassification and then encrypted into the data stores where other userswith the proper classification can then view the documents. Thisprovides for a secured document access control system that providessecurity, integrity, reliability as well as the capability to controldocument dissemination.

The Classification Process allows classification labels to be added toany information within the system and can add a mandatory layer ofsecurity to document control that does not exist in discretionaryoperating systems that provide for shared access control. Each documentcan be labeled with a classification and clearance requirement that istied directly to the data object.

The Sensor Data Parsing Process allows data entering the security systemfrom any information feed, such as a sensor feed, to be parsed into datathat can be represented in a graph series. Parsing can be unique to thesensor type and manufacture. To effectively parse data themanufacturer's data schema can be processed and stored into aretrievable data structure that can be identified on-the-fly to thesensor.

The Sensor Chart Generation Process allows the representation of sensordata through a graph series. Each graph can hold multiple series andupdate in real-time based, for example, on parsed data.

The Sensor GUI Interface Process allows a sensor GUI to act as therecord management facility as well as the interface for sensor graphsthat can depict real-time sensor feeds for a variety of sensor types.

The Logging/Alerting Services Process are specific to applicationprocesses and specific server processes. To configure logging andalerting, administrators can select an event type and then apply a ruleto the event. Then, based, for example, on the relationship between ametric and the event, alarms triggered, actions activated, alerts sentto one or more individuals, entities or groups thereof, or the like.

The Identify Facts and Factsets Process allows processing of facts andfact sets that are known or defined facts about an expert domain.

The Build Rules and Rulesets Process allows for inferencing processes totake place.

The Apply Fuzzy Definitions Process allows for the application ofintelligence to address non-linear problems.

The Define Training Requirements Process allows for the training of oneor more neural networks.

The Stream Analysis Process allows for the capability to determinedirection and distance of sounds as well as the sound type. Audiostreams can be used as alerting features and can be saved in anencrypted format into a data store and checksummed to prove authenticityin the future.

The Audio GUI Process allows an audio GUI(s) to act as the recordmanagement facility as well as the graphic interface that allows usersto configure and process audio data. Audio data can be collected fromdifferent sources.

The VOIP/Video Conference process allows audio and/or videocommunications between connected security systems. A specific securitysystem can itself act as a collector for conversations from other endpoints. The security system can then trunk the communications into astream of data that can be sent out to one or more participants.

The Reporting Process allows generation of different types of reports.

Ad Hoc—Ad Hoc reports show the user exactly what is on screen in thesame state as the data container. For example, if a data grid is groupedand/or filtered then the report view will be of the grouped and filteredset of data. These reports are designed for on the fly real-time typereports.

Formatted—These reports are pre-defined and have a more professionallook than ad hoc reports. These are the reports that are sent to othersas a more formal document.

Metric based—These reports correlate data into a pivot grid like reportstructure. These reports are good for tracking certain sets of data overtime.

Charts—These are charts may be formatted as histograms, pie charts, barecharts etc. . . .

The reporting interface allows the user to define the report type anddata to collect as well as save the report to internal or export reportsto other data formats.

The Data Request Process builds the sql (or other) statement thatrequests data from a backend. Queries may be simple, complex, nested,multi dimensional, etc., and will take into account future dataextraction technologies.

The exemplary Transaction Process allows adding, deleting and modifyingidentities and other records and follows a straight forward transactionprocess. The process provides for the guarantee of the integrity andreliability of data and meets federal standards under HSPD-12 foridentity verification in a government environment.

Exemplary Components include:

-   1. Transaction tracking mechanism (GUID, UUID, or any certificate).-   2. Authentication medium (smartcards, chips, and any other data    storage medium whether its embedded, imbedded, attached, not    attached etc. . . .)-   3. Authentication factor (something a person has, something a person    knows, who a person is, time, space etc. . . .)-   4. Storage mediums (relational data structures, active directory,    chips and other mediums).    Integrity and reliability of identity information can be done    through transaction and data tracking through storage devices and    authentication mediums through the use of-   1. GUID—globally unique identifiers-   2. UUIDs—universally unique identifiers-   3. Certificates (any type)-   4. Other unique markers as they are developed.    GUIDs, UUIDs, or any certificate(s) and other markers can be used to    uniquely identify an identity across local, regional, national and    international structures whether they are storage structure or    authentications mediums. An identity can be uniquely correlated    through connected or disconnected space and time through any of the    above markers. Considering the fact that certain attributes of    personal or private data can't be transmitted in some cases, the    unique marker/identifier provides a means to validate an identity    without the loss or compromise of sensitive data. If sensitive data    needs to be accessed the unique marker/identifier can be used as a    lookup structure to a storage medium or to an authentication medium    for additional sensitive data.

By using these markers and identifiers it is possible to replicateidentities across multiple remote data stores locally, regionally,nationally or internationally without losing integrity. This also allowsfor near real-time updates for immediate identity visibility.

While the above-described flowcharts have been discussed in relation toa particular sequence of events, it should be appreciated that changesto this sequence can occur without materially effecting the operation ofthe invention. Additionally, the exact sequence of events need not occuras set forth in the exemplary embodiments, but rather the steps can beperformed by one or more of the elements described. Additionally, theexemplary techniques illustrated herein are not limited to thespecifically illustrated embodiments but can also be utilized with theother exemplary embodiments and each described feature is individuallyand separately claimable.

The above-described system can be implemented on one or more secured,hardened and/or unsecured computer systems and related components, andmay be connected to other systems, data feeds, network(s), etc., via asecure or unsecured or encrypted wired and/or wireless wide/local areanetwork system, a satellite communication system, a modem, or the like,or on a separate programmed general purpose computer having acommunications device.

Additionally, the systems, methods and protocols of this invention canbe implemented on a special purpose computer(s), a programmedmicroprocessor or microcontroller and peripheral integrated circuitelement(s), an ASIC or other integrated circuit, a digital signalprocessor, a hard-wired electronic or logic circuit such as discreteelement circuit, a programmable logic device such as PLD, PLA, FPGA,PAL, any comparable means, or the like. In general, any device capableof implementing a state machine that is in turn capable of implementingthe methodology illustrated herein can be used to implement the varioussystems and techniques described in relation to this invention.

Furthermore, the disclosed methods may be readily implemented insoftware using object or object-oriented software developmentenvironments that provide portable source code that can be used on avariety of computer or workstation platforms. Alternatively, thedisclosed system may be implemented partially or fully in hardware usingstandard logic circuits or VLSI design. Whether software or hardware isused to implement the systems in accordance with this invention isdependent on the speed and/or efficiency requirements of the system, theparticular function, and the particular software or hardware systems ormicroprocessor or microcomputer systems being utilized. The systems,methods and protocols illustrated herein can be readily implemented inhardware and/or software using any known or later developed systems orstructures, devices and/or software by those of ordinary skill in theapplicable art from the functional description provided herein and witha general basic knowledge of the computer and logical and physicalsecurity arts.

Moreover, the disclosed methods may be readily implemented in softwarethat can be stored on a storage medium, executed on programmedgeneral-purpose computer with the cooperation of a controller andmemory, a special purpose computer, a microprocessor, or the like. Inthese instances, the systems and methods of this invention can beimplemented as program embedded on personal computer such as an applet,JAVA® or CGI script, as a resource residing on a server or computerworkstation, as a routine embedded in a dedicated communication systemor system component, or the like. The system can also be implemented byphysically incorporating the system and/or method into a software and/orhardware system, such as the hardware and software systems of a securitysystem.

It is therefore apparent that there has been provided, in accordancewith the present invention, systems and methods for combined IT/Networkand physical security management. While this invention has beendescribed in conjunction with a number of embodiments, it is evidentthat many alternatives, modifications and variations would be or areapparent to those of ordinary skill in the applicable arts. Accordingly,it is intended to embrace all such alternatives, modifications,equivalents and variations that are within the spirit and scope of thisinvention.

1. An integrated physical and network security platform comprising: aunified credential having associated therewith information allowingaccess to one or more of a physical area and a computer system; asecurity management system including a data store and connectivitymodules allowing scalability and one or more connections to one or moreadditional security management systems, wherein the security managementsystem is capable of interfacing with one or more of an existingenterprise physical security system and an existing enterprise computersystem; an incident management perimeter access control and trackingsystem that manages one or more of personnel, tasks, equipment andaccess for a secure area.
 2. The system of claim 1, further comprising acredential issuance system that can associate information with theunified credential.
 3. The system of claim 2, wherein the informationpertains to one or more of personnel and equipment.
 4. The system ofclaim 3, wherein information about the personnel comprises one or moreof fingerprint information, name, credentials, certifications, biometricinformation, access information, a picture, background information andmedical information.
 5. The system of claim 1, wherein the unifiedcredential includes a contact or contactless chip and one or more of abar code, printed data, proximity chip, magnetic stripe, token andcomputer readable information.
 6. The system of claim 1, wherein thesecure area can be a physical area, a computer or a computer network. 7.The system of claim 1, wherein a credential issuance system interfaceswith one or more of a fingerprint capture system, a camera, a PINcapture system, a signature capture system, a document scanner, a cardreader/writer, a card printer and a report printer.
 8. The system ofclaim 1, wherein the unified credential is a smart card, smart chip,embedded chip or implanted chip.
 9. The system of claim 1, wherein theinformation associated with the unified credential is verified through agovernment entity.
 10. The system of claim 9, wherein status informationrelated to the verification of the information is maintained by thesecurity management system.
 11. The system of claim 1, wherein thesecurity management system can receive information from one or moreexternal data sources.
 12. The system of claim 11, wherein the externaldata sources include one or more of map information, terrorist activityinformation, incident information, global positioning systeminformation, audio information, video information, perimeter breachinformation, alarms, enterprise security system status information,local emergency response information, local, state, federal orinternational governmental information and information obtained from oneor more other security management systems.
 13. The system of claim 1,further comprising a rules toolkit, the toolkit allowing a user toconstruct one or more rules including metrics that govern the handlingand action to be taken based on received information.
 14. The system ofclaim 1, further comprising an interface module configured tocommunicate with the one or more of the existing enterprise physicalsecurity system and the existing enterprise computer system.
 15. Thesystem of claim 1, wherein the platform includes one or more ofsatellite communications capabilities, VOIP capabilities, networkingcapabilities, switch-based network communication capabilities andpacket-based network capabilities.
 16. The system of claim 1, whereinthe platform can be booted into a plurality of modes.
 17. The system ofclaim 16, wherein the modes are one or more of an EMS mode, a nationaldisaster mode, an incident mode, a local disaster mode, a state disastermode, a terrorist activity mode and a international disaster mode. 18.The system of claim 17, wherein additional modes can be dynamicallyadded in real-time.
 19. The system of claim 17, wherein each mode has anassociated set of templates related to management of informationassociated with the security management system.
 20. The system of claim1, further comprising a data filtering module that filters data based ona sensitivity rating.
 21. The system of claim 1, further comprising aprediction module utilizing artificial intelligence to analyzeinformation received by the security management system.
 22. The systemof claim 1, wherein the system provides security for one or more ofchemical, drinking water and wastewater treatment systems, energyfacilities, dams, commercial nuclear reactors, water sectors, processmanufacturing, emergency services, public health and healthcare,continuity of government, government facilities, defense facilities,defense industrial base, continuity of government, informationtechnology, telecommunications, converged facilities, national monumentsand icons, postal and shipping, banking and finance, commercialfacilities, materials and waste facilities, transportation systems, portsecurity, aviation security, cargo, cruise ships, trains, mass transit,Intermodal, food and agriculture facilities, military facilities, firstresponders, police, fire control access to a machine and OSHACompliance.
 23. The system of claim 1, wherein the unified credential isstored in a RFID shielded pouch.
 24. A method for providing integratedphysical and network security comprising: providing an unifiedcredential having associated therewith information allowing access toone or more of a physical area and a computer system; maintaining asecurity management system including a data store and connectivitymodules allowing scalability and one or more connections to one or moreadditional security management systems, wherein the security managementsystem is capable of interfacing with one or more of an existingenterprise physical security system and an existing enterprise computersystem; monitoring an incident management perimeter access control andtracking system that manages one or more of personnel, tasks, equipmentand access for a secure area.
 25. The method of claim 24, wherein theinformation pertains to one or more of personnel, equipment,corporation, government entity, international entity or facility. 26.The method of claim 25, wherein information about the personnelcomprises one or more of fingerprint information, name, credentials,certifications, biometric information, access information, a picture, aunique identifier, background information and medical information. 27.The method of claim 24, wherein the unified credential includes acontact or contactless chip, smart card, smart chip or embedded chip,implanted chip and one or more of a bar code, printed data, proximitychip, magnetic stripe and computer readable information.
 28. The methodof claim 24, wherein the secure area can be a physical area, a computeror a computer network.
 29. The method of claim 24, wherein a credentialissuance system interfaces with one or more of a fingerprint capturesystem, a camera, a PIN capture system, a signature capture system, adocument scanner, a card reader/writer, a card printer and a reportprinter.
 30. The method of claim 24, wherein the unified credential is asmart card, implanted chip or embedded chip.
 31. The method of claim 24,wherein the information associated with the unified credential isverified through one or more of a government entity, certificateauthority, corporate entity, state authority and local authority. 32.The method of claim 31, wherein status information related to theverification of the information is maintained by the security managementsystem.
 33. The method of claim 24, wherein the security managementsystem can receive information from one or more external data sources.34. The method of claim 33, wherein the external data sources includeone or more of map information, GIS information, terra serverinformation, terrorist activity information, incident information,global positioning system information, audio information, videoinformation, perimeter breach information, alarms, enterprise securitysystem status information, local emergency response information, local,state, federal or international governmental information and informationobtained from one or more other security management systems.
 35. Themethod of claim 24, wherein the platform includes one or more ofsatellite communications capabilities, VOIP capabilities, networkingcapabilities, switch-based network communication capabilities andpacket-based network capabilities.
 36. The method of claim 24, whereinthe platform can be booted into a plurality of modes.
 37. The method ofclaim 36, wherein the modes are one or more of an EMS mode, a nationaldisaster mode, an incident mode, a local disaster mode, a state disastermode, a terrorist activity mode and a international disaster mode. 38.The method of claim 37, wherein additional modes can be dynamicallyadded in real-time.
 39. The method of claim 38, wherein each mode has anassociated set of templates related to management of informationassociated with the security management system.
 40. The method of claim24, wherein the system provides security for one or more of chemical,drinking water and wastewater treatment systems, energy facilities,dams, commercial nuclear reactors, water sectors, process manufacturing,emergency services, public health and healthcare, continuity ofgovernment, government facilities, defense facilities, defenseindustrial base, continuity of government, information technology,telecommunications, converged facilities, national monuments and icons,postal and shipping, banking and finance, commercial facilities,materials and waste facilities, transportation systems, port security,aviation security, cargo, cruise ships, trains, mass transit,Intermodal, food and agriculture facilities, military facilities, firstresponders, police, fire and OSHA Compliance.
 41. Any one or more of thefeatures as described herein.
 42. Means for performing any one or moreof the features described herein.
 43. A computer readable storage mediumcomprising information, that when executed, performs one or more of thefunctions described herein.
 44. The method of claim 24, wherein acombination of SQL and active directory are used to integrate thephysical and network security.
 45. The method of claim 24, whereinauthentication is based on location based in time.
 46. The method ofclaim 45, wherein artificial intelligence compares location and timeinformation to determine authentication.